Hi, you max out the 32 group limit of your UNIX (02-33), and the group you want is over 33. Check how many Windows groups you are in.
Charles On Wed, 4 Aug 2004 07:46:22 -0500 "Ziller, James" <[EMAIL PROTECTED]> wrote: > After some more screwing around with leaving and rejoining the ADS > domain I was finally able to access a share with "valid users =" set > to a domain group I was a member of. The _only_ change I made after > this was to add yet another group to the valid users on the share and > restart samba...after that I could no longer access the share. I > removed the additional group, restarted samba and could still not > access the share. I then tried adding my domain username to "valid > users=" and it worked fine. So im back in the same boat again, users > work, groups don't. Has anyone seen this problem before? Or does > anyone have advice for tracking down the root of this problem. I've > had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded > kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd > in debug doesn't seem to indicate any problem. Heres the output of > winbindd anyway, with debug level 3 after a failed login attempt from > windows: > > [ 2627]: getgrnam QG+TEST > rpc: name_to_sid name=TEST > name_to_sid [rpc] TEST for domain QG > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads lookup_groupmem for > sid=S-1-5-21-842925246-1647877149-1417001333-57015 > [ 2627]: getgrnam QG+TEST > [ 2627]: getgrnam QG+TEST > [ 2629]: request interface version > [ 2629]: request location of privileged pipe > [ 2629]: domain_info [QG.COM] > [ 2629]: getpwnam qg+jzillera > rpc: name_to_sid name=jzillera > name_to_sid [rpc] jzillera for domain QG > ads: query_user > ads query_user gave JZILLERA > [ 2629]: getgroups QG+jzillera > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for > domain QG > [ 2629]: gid to sid 10002 > [ 2629]: gid to sid 10003 > [ 2629]: gid to sid 10004 > [ 2629]: gid to sid 10005 > [ 2629]: gid to sid 10006 > [ 2629]: gid to sid 10007 > [ 2629]: gid to sid 10008 > [ 2629]: gid to sid 10009 > [ 2629]: gid to sid 10010 > [ 2629]: gid to sid 10011 > [ 2629]: gid to sid 10012 > [ 2629]: gid to sid 10013 > [ 2629]: gid to sid 10014 > [ 2629]: gid to sid 10015 > [ 2629]: gid to sid 10016 > [ 2629]: gid to sid 10017 > [ 2629]: gid to sid 10018 > [ 2629]: gid to sid 10019 > [ 2629]: gid to sid 10020 > [ 2629]: gid to sid 10021 > [ 2629]: gid to sid 10022 > [ 2629]: gid to sid 10023 > [ 2629]: gid to sid 10024 > [ 2629]: gid to sid 10025 > [ 2629]: gid to sid 10026 > [ 2629]: gid to sid 10027 > [ 2629]: gid to sid 10028 > [ 2629]: gid to sid 10029 > [ 2629]: gid to sid 10030 > [ 2629]: gid to sid 10031 > [ 2629]: gid to sid 10032 > [ 2629]: gid to sid 10033 > [ 2629]: getpwnam QG+jzillera > [ 2629]: getgrnam QG+TEST > > That's it. > > Again, the output of 'getent group' shows my user as being a member of > QG+TEST: > > QG+TEST:x:10000:QG+JZILLERA > > If you would like anymore info please ask....thanks! > > -James > > > -----Original Message----- > > From: Ziller, James > > Sent: Monday, August 02, 2004 4:08 PM > > To: '[EMAIL PROTECTED]' > > Subject: Problems w/ winbind and AD group membership > > > > Hello friends, > > > > I am using samba to join a linux box to an active directory domain > > to use as a file server. I would like to be able to control access > > to shares based on AD domain groups. However, even though winbind > > seems to be seeing the groups fine, samba is not granting access to > > users who are members of the group. I am able to successfully join > > the system to the domain and granting access to shares based on > > Windows usernames works fine. > > > > getent group returns: > > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG > > +PL YNCHA > > > > However an id lookup of my windows username doesn't list me as a > > group member of QG+TEST.(shouldn't it?) > > > > [EMAIL PROTECTED] root]# id qg+jzillera > > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > > groups=10000(QG+Domain Users) > > > > System Details: > > Redhat 9 > > samba-3.0.5-2 > > krb5-libs-1.2.7-10 > > krb5-devel-1.2.7-10 > > krb5-workstation-1.2.7-10 > > pam_krb5-1.60-1 > > > > [EMAIL PROTECTED] root]# wbinfo -t > > checking the trust secret via RPC calls succeeded > > > > [EMAIL PROTECTED] root]# testparm > > Load smb config files from /etc/samba/smb.conf > > Processing section "[test]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > workgroup = QG > > realm = QG.COM > > server string = Samba Server > > security = ADS > > obey pam restrictions = Yes > > password server = wadc2 > > log file = /var/log/samba/log.%m > > max log size = 50 > > load printers = No > > printcap name = /etc/printcap > > local master = No > > domain master = No > > dns proxy = No > > wins support = Yes > > idmap uid = 10000-30000 > > idmap gid = 10000-30000 > > winbind separator = + (tried with # and \ as well) > > winbind use default domain = Yes (tried with No) > > > > [test] > > comment = testing > > path = /mnt/qdsfsl01/resources/testing > > valid users = @QG+TEST > > write list = @QG+TEST > > > > Winbind logs show nothing that indicates any error, even when run > > with debug level 3. Ive been beating myself over the head with this > > problem for months...any help or suggestions would be greatly > > appreciated. > > > > Thanks! > > > > James Ziller > > Systems Administrator > > > > Quad/Graphics - Q/DS > > West Allis, Wisconsin > > [EMAIL PROTECTED] > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- Charles Bueche <[EMAIL PROTECTED]> sand, snow, wave, wind and net -surfer -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba